Idmap config autorid: Difference between revisions

From SambaWiki
m (/* minor update)
mNo edit summary
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
The <code>autorid</code> back end works similar to the <code>rid</code> ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end:
The <code>autorid</code> back end works similar to the <code>rid</code> ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end:


* For the <code>SAMDOM</code> domain and additional domains, without the need to create ID mapping configurations for each of the additional domains.
* For the <code>*</code> default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains.
* Only for specific domains.
* Only for specific domains.


Line 10: Line 10:
{{Imbox
{{Imbox
| type = warning
| type = warning
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />For details, see [[Updating_Samba#Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]].
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />Do not add any idmap config lines to a Samba Active Directory (AD) domain controller (DC) smb.conf<br />For details, see [[Updating_Samba#Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]].
}}
}}


Line 25: Line 25:


Drawbacks:
Drawbacks:
* User and group IDs are not equal across Samba domain members.
* User and group IDs will not be the same across Samba domain members.
* All domain users get the same login shell and home directory assigned. However, you can use variables.
* All domain users get the same login shell and home directory assigned. However, you can use variables.
* You can not exclude individual users or groups from being available on the domain member, except the calculated UID or GID is outside of the configured range.
* You cannot exclude individual users or groups from being available on the domain member. Only users and groups whose calculated UID or GID is outside of the configured range are excluded.
* You cannot and must not use <code>winbind use default domain = yes</code> in <code>smb.conf</code>, users are always in the form 'DOMAIN\username.






Line 35: Line 34:
= Configuring the <code>autorid</code> Back End =
= Configuring the <code>autorid</code> Back End =


To configure a Samba domain member to use the <code>autorid</code> ID mapping back end for the <code>*</code> default domain:
To configure a Samba domain member to use the <code>autorid</code> ID mapping back end for the <code>*</code> domain:


* Edit the <code>[global]</code> section in your <code>smb.conf</code> file
* Edit the <code>[global]</code> section in your <code>smb.conf</code> file

:{{Imbox
:{{Imbox
| type = note
| type = note
| text = If you use <code>autorid</code> for the default domain, adding additional ID mapping configurations for domains is optional.
| text = If you use <code>autorid</code> for the default domain, you can use other winbind backends for other domains, but the ranges must not overlap. See the <code>idmap_autorid(8)</code> man page.
}}
}}


Line 53: Line 51:


::Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the <code>THE MAPPING FORMULAS</code> in the <code>idmap_autorid(8)</code> man page.
::Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the <code>THE MAPPING FORMULAS</code> in the <code>idmap_autorid(8)</code> man page.



::{{Imbox
::{{Imbox
Line 64: Line 63:


::Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in the <code>idmap config * : range</code> parameter are taken. For further details, see the <code>rangesize</code>parameter description in the <code>idmap_autorid(8)</code> man page.
::Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in the <code>idmap config * : range</code> parameter are taken. For further details, see the <code>rangesize</code>parameter description in the <code>idmap_autorid(8)</code> man page.



A basic smb.conf using the 'autorid' idmap backend, will look something like this:

[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration using the autorid
# idmap backend. This will work out of the box for simple setups
# as well as complex setups with trusted domains.
# NOTE: You cannot and must not use 'winbind use default domain = yes'
# with the autorid idmap backend. This means that your users
# will need to login using the format 'DOMAIN\username'.
# If you want your users to login just using 'username' then
# you cannot use the 'autorid' idmap backend.
idmap config * : backend = autorid
idmap config * : range = 10000-24999999

For information on the parameters, see the <code>smb.conf(5)</code> man page.




:* Set a shell and home directory path that will be assigned to all mapped users. For example:
:* Set a shell and home directory path that will be assigned to all mapped users. For example:

Latest revision as of 11:11, 20 April 2023

Introduction

The autorid back end works similar to the rid ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end:

  • For the * default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains.
  • Only for specific domains.

For alternatives, see Identity Mapping Back Ends.



Benefits and Drawbacks

Benefits:

  • All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member.
  • You do not need to manually assign IDs, home directories, and login shells.
  • No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.

Drawbacks:

  • User and group IDs will not be the same across Samba domain members.
  • All domain users get the same login shell and home directory assigned. However, you can use variables.
  • You cannot exclude individual users or groups from being available on the domain member. Only users and groups whose calculated UID or GID is outside of the configured range are excluded.
  • You cannot and must not use winbind use default domain = yes in smb.conf, users are always in the form 'DOMAIN\username.


Configuring the autorid Back End

To configure a Samba domain member to use the autorid ID mapping back end for the * domain:

  • Edit the [global] section in your smb.conf file
  • Enable the autorid ID mapping back end for the * default domain:
idmap config * : backend = autorid
  • Set a range that is big enough to assign IDs for all existing and future objects. For example:
idmap config * : range = 10000-24999999
Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the THE MAPPING FORMULAS in the idmap_autorid(8) man page.


  • Optionally, set a range size. For example:
idmap config * : rangesize = 200000
Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in the idmap config * : range parameter are taken. For further details, see the rangesizeparameter description in the idmap_autorid(8) man page.


A basic smb.conf using the 'autorid' idmap backend, will look something like this:

[global]
       security = ADS
       workgroup = SAMDOM
       realm = SAMDOM.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 1

       # Default ID mapping configuration using the autorid
       # idmap backend. This will work out of the box for simple setups
       # as well as complex setups with trusted domains.
       # NOTE: You cannot and must not use 'winbind use default domain = yes'
       #       with the autorid idmap backend. This means that your users
       #       will need to login using the format 'DOMAIN\username'.
       #       If you want your users to login just using 'username' then
       #       you cannot use the 'autorid' idmap backend.
       idmap config * : backend = autorid
       idmap config * : range = 10000-24999999

For information on the parameters, see the smb.conf(5) man page.


  • Set a shell and home directory path that will be assigned to all mapped users. For example:
template shell = /bin/bash
template homedir = /home/%U
For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.
  • Optionally, add additional ID mapping configurations for domains. If no configuration for an individual domain is available, Samba calculates the ID using the autorid back end settings in the previously configured * default domain.
  • Reload the Samba configuration:
# smbcontrol all reload-config



Additional Resources

  • idmap_autorid(8) man page